Scribd
Upload
58 views5 pages

Attacktive Dierctory Report

Active Directory is a database and set of services that connect users to network resources. Nmap scans found ports 139, 445, and 88 open, indicating NetBIOS, SMB, and Kerberos services. Kerbrute was used to brute force Kerberos and discover the usernames "svc-admin" and "backup". AS-REP roasting retrieved the hashes for these accounts, one of which was cracked. Secretsdump extracted the NTLM hash of the Administrator account, and psexec was used to gain domain admin privileges. Each flag was then retrieved from user desktop folders.

Uploaded by

Ajay Kulkarni
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
58 views5 pages

Attacktive Dierctory Report

Active Directory is a database and set of services that connect users to network resources. Nmap scans found ports 139, 445, and 88 open, indicating NetBIOS, SMB, and Kerberos services. Kerbrute was used to brute force Kerberos and discover the usernames "svc-admin" and "backup". AS-REP roasting retrieved the hashes for these accounts, one of which was cracked. Secretsdump extracted the NTLM hash of the Administrator account, and psexec was used to gain domain admin privileges. Each flag was then retrieved from user desktop folders.

Uploaded by

Ajay Kulkarni
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

Attacktive Dierctory report.

md 6/6/2021

Active directory :-Active Directory is a database and set of services that connect users with the network
resources they need to get their work done.Most of the companies run off of Active directory

Enumeration-1

By Using Nmap with the given Ip 10.10.14.74 we can see that 139 and 445 ports are open which is Netbios
and Smb programs Netbios:- It is a program which allows applications on different computers to
communicate within LAN SMB :- SMB stands for Server Message Block which is used for sharing files, printers
etc

Then by Using Enum4Linux tools we can enumerate these ports FirstFlag - enum4linux

enum4linux -A 10.10.14.74

1/5
Attacktive Dierctory report.md 6/6/2021

So Second Flag is `THM-AD`

While looking the name of the Active directory and with research we can understand that .local is the
commonly used TLD

Enumeration-2

While Looking in the Nmap Scan Report we can find other port running on 88(Kerberos).Basically
Kerberos is a authentication service within active directory. With this port open , we can use a tool
called kerbrute to bruteforce for the discovery of users, passwords

With the given userList.txt and passwordList.txt from github repo we can bruteforce the
kerberos

2/5
Attacktive Dierctory report.md 6/6/2021

So it is noticable that can be discoverd from the output is svc-admin(flag-3) and backup(Flag-4)

Abusing Kerberos

How does kerberoes work?

Under Kerberos , client generally sends a request to Key Distribution service(KDC).The KDC creates a
Ticket granting ticket(TGT) for the client,encrypts it using clients password as the key and sends the
encrypted TGT back.

Then By using the TGT we can request KDC to provide TGS(Ticket Granting Service) to acess any specific
service in activedirectory such as sql and also we found a service account as well (svc-admin) which runs
a service. Since we have a TGS ticket, we can send that ticket to specific service and that service will
authenticate the user with the provided TGS . This service uses the username and password to decrypt
the TGS and declare that it is valid or not

In Our Case, we found 2 specific usernames and we dont have specific password to request TGT,But, a
feature exists in Kerberos with an attack calles ASREPRoasting .ASREPRoasting is that a useraccount
can have the privillege DO Not require PreAuthentication , So This means that the account does
not need to provide valid identification before requesting a Kerberos Ticket on the specified User
account

To Perform Asreproasting, there is a tool called Impacket and it is located in


impacket/examples/GetNPUsers.py) that will allow us to query ASReproastable accounts from the Key
Distribution Center. The prerequesite to use this tool is to know usernames which we already

3/5
Attacktive Dierctory report.md 6/6/2021

enumerated

After recieving the hash , we can crack the hash by using john with the passwords list with the
password management2005

Enumeration (back to basics)

Since we have usernames and pasword , we can login into server.we can use smbclient tool to
do this

By using secretsdump.py tool we can extract NTLM hashes of Administrtaor account secretsdump.py
spookysec.local/backup:'backup2517860'@10.10.22.125 -just-dc

4/5
Attacktive Dierctory report.md 6/6/2021

Next to gain admin privileges we can use a tool called psexec.py with the following command psexec.py
Administrator@10.10.22.125 -hashes
aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc

After gaining admin acess , each flag is located in user's Desktop folder/

5/5

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy